PINs and Needles: New Ways to Authenticate Users

Keep this to yourself, obviously, but answer honestly: How many different passwords do you use at one time? And, how difficult would it be for someone to guess any of them?

The venerable username-password combination has been around for as long as there have been individual computer user accounts—dating back to the punch-card era. Although we have tried various ways to make them more secure—requiring a mixture of upper- and lowercase letters, numbers, and special characters or requiring passwords to be changed periodically—the fact remains that the only passwords that are truly secure (that is, difficult to guess) are impossible to remember.

It’s time to rethink user authentication, and some very smart people are doing just that.

Disadvantages of Passwords

Besides using passwords that are notoriously easy to guess (a disturbing number of people use “123456”), many people have a habit of using the same password for all of their user accounts. So once a hacker tricks you into giving up your password for one account, all of your user accounts may be compromised…including ones you will have forgotten about until it’s too late.

Password Alternatives

Some alternatives to passwords that have been proposed in the past include:

Keyfobs that display a pseudorandom number that changes periodically (typically every minute) and is synchronized with a server that generates the same sequence of pseudorandom numbers. Security is increased because you have to use a password (something you know) combined with the keyfob (something you have). The downside is that this is fairly pricey and typically used by large companies to secure remote access to their networks.

Graphical PIN pads, where in addition to your password you click on numbers to enter a PIN. This approach protects you from keylogging malware, but it’s a bit of a pain to use.

Text messaging of access codes, which is easier now because of the ubiquity of text-capable mobile phones. Because of the delay in transmitting and receiving text messages, this approach is typically used to verify your identity when you set up an account or reset a password, rather than every time you access your account.

The (Near) Future of User Authentication

As with so many emerging technologies these days, the future of user authentication is driven by mobile. Many of the alternatives to passwords that are being proposed take advantage of techniques and features that are available on mobile devices:

PIN patterns: Most mobile devices have lock screens with the option of being unlocked by drawing a pattern on the touchscreen. This technique could easily be extended to mobile apps and mobile-optimized websites. Obviously, this technique lends itself better to mobile devices than to the mouse-driven user interfaces of laptops and desktops.

Biometrics: With their touchscreens and high-resolution cameras, mobile devices are well suited to capturing and comparing biometric data such as fingerprints and iris scans. The main advantage of these is that there is no way to hack them; no one can “steal” your fingerprint or iris pattern, so only you can authenticate with them. However, most laptops and desktops lack this capability.

Graphical passwords: One intriguing approach that lends itself to all kinds of devices is graphical passwords. In one implementation, you choose a small number of images when you set up your account. When you log in, a subset of these images are arranged randomly with other images in a grid, which includes random number sequences across the top and left sides. Your password is the combination of numbers corresponding with your images, and you type this combination in a password box. It doesn’t work so well for the vision-impaired, but it’s extremely difficult to hack because the password that you enter is different every time.

What’s In It For You?

If you enable users to register on your website, they probably do so with usernames and passwords. With more people adopting mobile devices as their primary method of accessing the Internet, and with better and more secure authentication methods being developed, it’s worthwhile to look into these alternatives, especially if you have sensitive data on your site. The days of having to come up with passwords that are both hard to guess and easy to remember may be finally, mercifully, coming to a close.